IT Security Checklist

For Disability & Mental Health Service Providers

FOCUS Care LLC • focuscarellc.com

Use this checklist to evaluate your organization's IT security posture. Each item represents a best practice that helps protect your clients' data, maintain regulatory compliance, and reduce the risk of costly breaches. Review regularly and address any gaps promptly.

1. Access Control & Authentication

Implement multi-factor authentication (MFA) for all staff accounts

Enforce strong password policies (minimum 12 characters, complexity requirements)

Review and audit user access permissions quarterly

Disable accounts immediately upon staff departure

Use role-based access control (RBAC) for all systems

Maintain a current inventory of all user accounts and access levels

2. Network Security

Deploy and maintain enterprise-grade firewalls

Segment networks to isolate sensitive data (e.g., client records)

Use encrypted Wi-Fi (WPA3) with separate guest networks

Monitor network traffic for anomalies and intrusion attempts

Conduct regular vulnerability scans (at least quarterly)

Keep all network devices firmware up to date

3. Data Protection & HIPAA Compliance

Encrypt all protected health information (PHI) at rest and in transit

Implement automatic screen locks after 5 minutes of inactivity

Maintain Business Associate Agreements (BAAs) with all IT vendors

Conduct annual HIPAA risk assessments

Establish and test data backup and disaster recovery procedures

Document all data flows — know where PHI is stored and transmitted

4. Endpoint Security

Install and maintain endpoint detection and response (EDR) software

Enable automatic operating system and application updates

Encrypt all laptops, tablets, and mobile devices

Implement mobile device management (MDM) for staff devices

Disable USB ports on workstations handling sensitive data

Maintain an up-to-date hardware and software inventory

5. Email & Communication Security

Deploy email filtering and anti-phishing solutions

Enable DMARC, DKIM, and SPF for your email domain

Train staff to recognize phishing and social engineering attempts

Use encrypted messaging platforms for sharing client information

Establish policies for acceptable use of personal devices

6. Incident Response & Business Continuity

Develop and maintain a written incident response plan

Designate an incident response team with clear roles

Conduct tabletop exercises at least annually

Establish breach notification procedures per HIPAA requirements

Test backup restoration procedures quarterly

Maintain offline copies of critical documentation

7. Staff Training & Awareness

Conduct security awareness training for all staff upon hire

Provide annual refresher training on current threats

Run simulated phishing campaigns to test awareness

Post security reminders in common areas and digital signage

Establish a clear process for reporting security concerns

Need Help Implementing These?

FOCUS Care specializes in helping disability and mental health service providers strengthen their IT security. Contact us for a free consultation.

Schedule a Consultation